Boost :

From: Rainer Deyke (rdeyke_at_[hidden])
Date: 2024-07-09 20:14:25

• Next message: Andrey Semashev: "Re: A secure string library?"
• Previous message: Rainer Deyke: "Re: A secure string library?"
• In reply to: Andrey Semashev: "Re: A secure string library?"
• Next in thread: Andrey Semashev: "Re: A secure string library?"
• Reply: Andrey Semashev: "Re: A secure string library?"
• Reply: Julien Blanc: "Re: A secure string library?"

On 09.07.24 16:37, Andrey Semashev via Boost wrote:
> On 7/9/24 17:29, Rainer Deyke via Boost wrote:
>> Passwords travel along a long chain from user input to system calls. The
>> entire chain needs to be secure or none of it is.
>
> Why does it have to be an "all or none" choice?
>
> Security is always about making life *hard enough* for the attacker so
> that the attack is not worthwhile. It is never about making the
> protection impenetrable, as there is simply no such thing.

Security is about identifying weaknesses and reinforcing them, not about
spraying obstacles around at random. No point in putting an extra
strong lock on your front door while the back door is wide open and the
east wall is missing.

So: is there any real attack in the wild that can be prevented by using
a secure string class?

-- 
Rainer Deyke (rainerd_at_[hidden])

• Next message: Andrey Semashev: "Re: A secure string library?"
• Previous message: Rainer Deyke: "Re: A secure string library?"
• In reply to: Andrey Semashev: "Re: A secure string library?"
• Next in thread: Andrey Semashev: "Re: A secure string library?"
• Reply: Andrey Semashev: "Re: A secure string library?"
• Reply: Julien Blanc: "Re: A secure string library?"

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk